Add TLS-PSK authentication support via callback mechanism (#348)

* Add TLS-PSK authentication support via callback mechanism

This adds support for TLS Pre-Shared Key (PSK) authentication, allowing
secure connections without certificates using a shared secret key.

Changes:
- Add psk_cred_handler() builder method to create_webserver
- Add psk_cred_handler_callback typedef for PSK credential lookup
- Implement psk_cred_handler_func() static callback using GnuTLS
- Add MHD_OPTION_GNUTLS_PSK_CRED_HANDLER option when PSK is configured
- Add AM_CONDITIONAL for HAVE_GNUTLS in configure.ac
- Remove deprecated AC_HEADER_STDC macro
- Add minimal_https_psk example demonstrating PSK usage
- Add conditional GnuTLS linking in test/Makefile.am
- Update README.md with PSK documentation and example

The callback receives a username and returns the hex-encoded PSK,
or an empty string for unknown users.

* Update GitHub Actions to v4 (cache and checkout)

* Fix linker error: link all examples against gnutls when available

The library now uses GnuTLS functions (gnutls_malloc, gnutls_free,
gnutls_hex2bin) for PSK support, so all examples need to link against
gnutls when HAVE_GNUTLS is defined, not just the PSK example.

* Update CI for Ubuntu 24.04 compatibility

- Update sanitizer builds (asan, lsan, tsan, ubsan) from clang-13 to clang-18
- Move clang-11, clang-12, clang-13 tests to ubuntu-22.04
- Add new clang-14 through clang-17 tests on ubuntu-latest
- Add gcc-11 through gcc-14 tests
- Remove obsolete ubuntu-20.04 jobs (gcc-7, gcc-8, clang-6 through clang-10)
- Update IWYU job to use clang-18 on ubuntu-latest
- Fix cpplint errors: add missing includes and fix namespace indentation

Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>

* Fix valgrind CI job for Ubuntu 24.04

- Remove valgrind-dbg package (debug symbols now included in main package)
- Update valgrind job to use GCC 14 instead of GCC 10

Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>

* Use GCC 13 for valgrind job to avoid -Woverloaded-virtual error

GCC 14 with -Werror catches a latent warning in littletest.hpp test
framework that older compilers don't flag. Use GCC 13 for now.

Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>

* Fix issues with valgrind running on g++-14

* FIx issue with overloads in tests

* Fix issue with gnutls

* Fix all cpplint issues

* Added codacy suppressions

* No need for codacy yaml. It is configured via UI

---------

Co-authored-by: Claude Opus 4.5 <noreply@anthropic.com>

Author: etr

.github/workflows/verify-build.yml

@@ -58,8 +58,8 @@ jobs:
             os-type: ubuntu
             build-type: asan
             compiler-family: clang
-            c-compiler: clang-13
-            cc-compiler: clang++-13
+            c-compiler: clang-18
+            cc-compiler: clang++-18
             debug: debug
             coverage: nocoverage
           # This test gives false positives on newer versions of clang
@@ -78,152 +78,161 @@ jobs:
             os-type: ubuntu
             build-type: lsan
             compiler-family: clang
-            c-compiler: clang-13
-            cc-compiler: clang++-13
+            c-compiler: clang-18
+            cc-compiler: clang++-18
             debug: debug
             coverage: nocoverage
           - test-group: extra
             os: ubuntu-latest
             os-type: ubuntu
             build-type: tsan
             compiler-family: clang
-            c-compiler: clang-13
-            cc-compiler: clang++-13
+            c-compiler: clang-18
+            cc-compiler: clang++-18
             debug: debug
             coverage: nocoverage
           - test-group: extra
             os: ubuntu-latest
             os-type: ubuntu
             build-type: ubsan
             compiler-family: clang
-            c-compiler: clang-13
-            cc-compiler: clang++-13
+            c-compiler: clang-18
+            cc-compiler: clang++-18
             debug: debug
             coverage: nocoverage
           - test-group: extra
-            os: ubuntu-20.04
+            os: ubuntu-latest
             os-type: ubuntu
             build-type: none
             compiler-family: gcc
-            c-compiler: gcc-7
-            cc-compiler: g++-7
+            c-compiler: gcc-9
+            cc-compiler: g++-9
             debug: nodebug
             coverage: nocoverage
           - test-group: extra
-            os: ubuntu-20.04
+            os: ubuntu-latest
             os-type: ubuntu
             build-type: none
             compiler-family: gcc
-            c-compiler: gcc-8
-            cc-compiler: g++-8
+            c-compiler: gcc-10
+            cc-compiler: g++-10
             debug: nodebug
             coverage: nocoverage
           - test-group: extra
             os: ubuntu-latest
             os-type: ubuntu
             build-type: none
             compiler-family: gcc
-            c-compiler: gcc-9
-            cc-compiler: g++-9
+            c-compiler: gcc-11
+            cc-compiler: g++-11
             debug: nodebug
             coverage: nocoverage
           - test-group: extra
             os: ubuntu-latest
             os-type: ubuntu
             build-type: none
             compiler-family: gcc
-            c-compiler: gcc-10
-            cc-compiler: g++-10
+            c-compiler: gcc-12
+            cc-compiler: g++-12
             debug: nodebug
             coverage: nocoverage
           - test-group: extra
-            os: ubuntu-20.04
+            os: ubuntu-latest
             os-type: ubuntu
             build-type: none
-            compiler-family: clang
-            c-compiler: clang-6.0
-            cc-compiler: clang++-6.0
+            compiler-family: gcc
+            c-compiler: gcc-13
+            cc-compiler: g++-13
+            debug: nodebug
+            coverage: nocoverage
+          - test-group: extra
+            os: ubuntu-latest
+            os-type: ubuntu
+            build-type: none
+            compiler-family: gcc
+            c-compiler: gcc-14
+            cc-compiler: g++-14
             debug: nodebug
             coverage: nocoverage
           - test-group: extra
-            os: ubuntu-20.04
+            os: ubuntu-22.04
             os-type: ubuntu
             build-type: none
             compiler-family: clang
-            c-compiler: clang-7
-            cc-compiler: clang++-7
+            c-compiler: clang-11
+            cc-compiler: clang++-11
             debug: nodebug
             coverage: nocoverage
           - test-group: extra
-            os: ubuntu-20.04
+            os: ubuntu-22.04
             os-type: ubuntu
             build-type: none
             compiler-family: clang
-            c-compiler: clang-8
-            cc-compiler: clang++-8
+            c-compiler: clang-12
+            cc-compiler: clang++-12
             debug: nodebug
             coverage: nocoverage
           - test-group: extra
-            os: ubuntu-20.04
+            os: ubuntu-22.04
             os-type: ubuntu
             build-type: none
             compiler-family: clang
-            c-compiler: clang-9
-            cc-compiler: clang++-9
+            c-compiler: clang-13
+            cc-compiler: clang++-13
             debug: nodebug
             coverage: nocoverage
           - test-group: extra
-            os: ubuntu-20.04
+            os: ubuntu-latest
             os-type: ubuntu
             build-type: none
             compiler-family: clang
-            c-compiler: clang-10
-            cc-compiler: clang++-10
+            c-compiler: clang-14
+            cc-compiler: clang++-14
             debug: nodebug
             coverage: nocoverage
           - test-group: extra
             os: ubuntu-latest
             os-type: ubuntu
             build-type: none
             compiler-family: clang
-            c-compiler: clang-11
-            cc-compiler: clang++-11
+            c-compiler: clang-15
+            cc-compiler: clang++-15
             debug: nodebug
             coverage: nocoverage
           - test-group: extra
             os: ubuntu-latest
             os-type: ubuntu
             build-type: none
             compiler-family: clang
-            c-compiler: clang-12
-            cc-compiler: clang++-12
+            c-compiler: clang-16
+            cc-compiler: clang++-16
             debug: nodebug
             coverage: nocoverage
           - test-group: extra
             os: ubuntu-latest
             os-type: ubuntu
             build-type: none
             compiler-family: clang
-            c-compiler: clang-13
-            cc-compiler: clang++-13
+            c-compiler: clang-17
+            cc-compiler: clang++-17
             debug: nodebug
             coverage: nocoverage
           - test-group: extra
             os: ubuntu-latest
             os-type: ubuntu
             build-type: valgrind
             compiler-family: gcc
-            c-compiler: gcc-10
-            cc-compiler: g++-10
+            c-compiler: gcc-14
+            cc-compiler: g++-14
             debug: nodebug
             coverage: nocoverage
           - test-group: extra
-            os: ubuntu-20.04
+            os: ubuntu-latest
             os-type: ubuntu
             build-type: iwyu
             compiler-family: clang
-            c-compiler: clang-9
-            cc-compiler: clang++-9
+            c-compiler: clang-18
+            cc-compiler: clang++-18
             debug: nodebug
             coverage: nocoverage
           - test-group: performance
@@ -264,7 +273,7 @@ jobs:
             coverage: nocoverage
     steps:
     - name: Checkout repository
-      uses: actions/checkout@v2
+      uses: actions/checkout@v4
       with:
         # We must fetch at least the immediate parents so that if this is
         # a pull request then we can checkout the head.
@@ -294,7 +303,7 @@ jobs:
       if: ${{ matrix.compiler-family == 'gcc' && matrix.os-type == 'ubuntu' }}
 
     - name: Install valgrind if needed
-      run: sudo apt-get install valgrind valgrind-dbg
+      run: sudo apt-get install valgrind
       if: ${{ matrix.build-type == 'valgrind' && matrix.os-type == 'ubuntu' }}
 
     - name: Install cpplint if needed
@@ -303,16 +312,12 @@ jobs:
 
     - name: Install IWYU dependencies if needed
       run: |
-        # Use same deps used by iwyu in their setup for travis
-        sudo apt-get install llvm-9-dev llvm-9-tools libclang-9-dev ;
-        # Use same CMAKE used by iwyu in their setup for travis
-        wget -O cmake.sh https://cmake.org/files/v3.10/cmake-3.10.0-Linux-x86_64.sh ;
-        sudo sh cmake.sh --skip-license --exclude-subdir --prefix=/usr/local ;
+        sudo apt-get install llvm-18-dev libclang-18-dev clang-18 ;
       if: ${{ matrix.build-type == 'iwyu' && matrix.os-type == 'ubuntu' }}
 
     - name: IWYU from cache (for testing)
       id: cache-IWYU
-      uses: actions/cache@v2
+      uses: actions/cache@v4
       with:
         path: include-what-you-use
         key: ${{ matrix.os }}-${{ matrix.c-compiler }}-include-what-you-use-pre-built
@@ -321,11 +326,11 @@ jobs:
     # Installing iwyu manually because clang and iwyu paths won't match on Ubuntu otherwise.
     - name: Build IWYU if requested
       run: |
-        CLANG_ROOT_PATH=`llvm-config-9 --prefix` ;
-        CLANG_BIN_PATH=`llvm-config-9 --bindir` ;
-        curl "https://libhttpserver.s3.amazonaws.com/travis_stuff/include-what-you-use-clang-9.tgz" -o "include-what-you-use-clang-9.tgz" ;
-        tar -xzf "include-what-you-use-clang-9.tgz" ;
+        CLANG_ROOT_PATH=`llvm-config-18 --prefix` ;
+        CLANG_BIN_PATH=`llvm-config-18 --bindir` ;
+        git clone https://github.com/include-what-you-use/include-what-you-use.git ;
         cd include-what-you-use ;
+        git checkout clang_18 ;
         mkdir build_iwyu ;
         cd build_iwyu ;
         cmake -G "Unix Makefiles" -DCMAKE_PREFIX_PATH=$CLANG_ROOT_PATH -DCMAKE_C_COMPILER=$CLANG_BIN_PATH/clang -DCMAKE_CXX_COMPILER=$CLANG_BIN_PATH/clang++ ../ ;
@@ -341,7 +346,7 @@ jobs:
 
     - name: CURL from cache (for testing)
       id: cache-CURL
-      uses: actions/cache@v2
+      uses: actions/cache@v4
       with:
         path: curl-7.75.0
         key: ${{ matrix.os }}-CURL-pre-built
@@ -352,7 +357,7 @@ jobs:
         curl https://libhttpserver.s3.amazonaws.com/travis_stuff/curl-7.75.0.tar.gz -o curl-7.75.0.tar.gz ;
         tar -xzf curl-7.75.0.tar.gz ;
         cd curl-7.75.0 ;
-        if [ "$matrix.os-type" = "ubuntu" ]; then ./configure ; else ./configure --with-darwinssl ; fi
+        ./configure --with-darwinssl ;
         make ;
       if: ${{ matrix.os == 'macos-latest' && steps.cache-CURL.outputs.cache-hit != 'true' }}
 
@@ -386,22 +391,22 @@ jobs:
 
     - name: Fetch libmicrohttpd from cache
       id: cache-libmicrohttpd
-      uses: actions/cache@v2
+      uses: actions/cache@v4
       with:
-        path: libmicrohttpd-0.9.64
-        key: ${{ matrix.os }}-${{ matrix.c-compiler }}-libmicrohttpd-pre-built
+        path: libmicrohttpd-0.9.77
+        key: ${{ matrix.os }}-${{ matrix.c-compiler }}-libmicrohttpd-0.9.77-pre-built
 
     - name: Build libmicrohttpd dependency (if not cached)
       run: |
-        curl https://s3.amazonaws.com/libhttpserver/libmicrohttpd_releases/libmicrohttpd-0.9.64.tar.gz -o libmicrohttpd-0.9.64.tar.gz ;
-        tar -xzf libmicrohttpd-0.9.64.tar.gz ;
-        cd libmicrohttpd-0.9.64 ;
+        curl https://s3.amazonaws.com/libhttpserver/libmicrohttpd_releases/libmicrohttpd-0.9.77.tar.gz -o libmicrohttpd-0.9.77.tar.gz ;
+        tar -xzf libmicrohttpd-0.9.77.tar.gz ;
+        cd libmicrohttpd-0.9.77 ;
         ./configure --disable-examples ;
         make ;
       if: steps.cache-libmicrohttpd.outputs.cache-hit != 'true'
-      
+
     - name: Install libmicrohttpd
-      run: cd libmicrohttpd-0.9.64 ; sudo make install ;
+      run: cd libmicrohttpd-0.9.77 ; sudo make install ;
 
     - name: Refresh links to shared libs
       run: sudo ldconfig ;
@@ -421,7 +426,7 @@ jobs:
         if [ "$BUILD_TYPE" = "ubsan" ]; then export export CFLAGS='-fsanitize=undefined'; export CXXLAGS='-fsanitize=undefined'; export LDFLAGS='-fsanitize=undefined'; fi
 
         # Additional flags on mac. They need to stay in step as env variables don't propagate across steps.
-        if [ "$matrix.os" = "macos-latest" ]; then
+        if [ "${{ matrix.os }}" = "macos-latest" ]; then
           export CFLAGS='-mtune=generic' ;
           export IPV6_TESTS_ENABLED="true" ;
         fi

README.md

@@ -313,6 +313,7 @@ You can also check this example on [github](https://github.com/etr/libhttpserver
 * _.https_mem_cert(**const std::string&** filename):_ String representing the path to a file containing the certificate to be used by the HTTPS daemon. This must be used in conjunction with `https_mem_key`.
 * _.https_mem_trust(**const std::string&** filename):_ String representing the path to a file containing the CA certificate to be used by the HTTPS daemon to authenticate and trust clients certificates. The presence of this option activates the request of certificate to the client. The request to the client is marked optional, and it is the responsibility of the server to check the presence of the certificate if needed. Note that most browsers will only present a client certificate only if they have one matching the specified CA, not sending any certificate otherwise.
 * _.https_priorities(**const std::string&** priority_string):_ SSL/TLS protocol version and ciphers. Must be followed by a string specifying the SSL/TLS protocol versions and ciphers that are acceptable for the application. The string is passed unchanged to gnutls_priority_init. If this option is not specified, `"NORMAL"` is used.
+* _.psk_cred_handler(**psk_cred_handler_callback** handler):_ Sets a callback function for TLS-PSK (Pre-Shared Key) authentication. The callback receives a username and should return the corresponding hex-encoded PSK, or an empty string if the user is unknown. This option requires `use_ssl()`, `cred_type(http::http_utils::PSK)`, and an appropriate `https_priorities()` string that enables PSK cipher suites. PSK authentication allows TLS without certificates by using a shared secret key.
 
 #### Minimal example using HTTPS
 ```cpp
@@ -346,6 +347,59 @@ To test the above example, you can run the following command from a terminal:
 
 You can also check this example on [github](https://github.com/etr/libhttpserver/blob/master/examples/minimal_https.cpp).
 
+#### Minimal example using TLS-PSK
+```cpp
+    #include <httpserver.hpp>
+    #include <map>
+    #include <string>
+
+    using namespace httpserver;
+
+    // Simple PSK database - in production, use secure storage
+    std::map<std::string, std::string> psk_database = {
+        {"client1", "0123456789abcdef0123456789abcdef"},
+        {"client2", "fedcba9876543210fedcba9876543210"}
+    };
+
+    // PSK credential handler callback
+    std::string psk_handler(const std::string& username) {
+        auto it = psk_database.find(username);
+        if (it != psk_database.end()) {
+            return it->second;
+        }
+        return "";  // Return empty string for unknown users
+    }
+
+    class hello_world_resource : public http_resource {
+    public:
+        std::shared_ptr<http_response> render(const http_request&) {
+            return std::shared_ptr<http_response>(
+                new string_response("Hello, World (via TLS-PSK)!"));
+        }
+    };
+
+    int main(int argc, char** argv) {
+        webserver ws = create_webserver(8080)
+            .use_ssl()
+            .cred_type(http::http_utils::PSK)
+            .psk_cred_handler(psk_handler)
+            .https_priorities("NORMAL:-VERS-TLS-ALL:+VERS-TLS1.2:+PSK:+DHE-PSK");
+
+        hello_world_resource hwr;
+        ws.register_resource("/hello", &hwr);
+        ws.start(true);
+
+        return 0;
+    }
+```
+To test the above example, you can run the following command from a terminal using gnutls-cli:
+
+    gnutls-cli --pskusername=client1 --pskkey=0123456789abcdef0123456789abcdef -p 8080 localhost
+
+Then type `GET /hello HTTP/1.1` followed by `Host: localhost` and two newlines.
+
+You can also check this example on [github](https://github.com/etr/libhttpserver/blob/master/examples/minimal_https_psk.cpp).
+
 ### IP Blacklisting/Whitelisting
 libhttpserver supports IP blacklisting and whitelisting as an internal feature. This section explains the startup options related with IP blacklisting/whitelisting. See the [specific section](#ip-blacklisting-and-whitelisting) to read more about the topic.
 * _.ban_system() and .no_ban_system:_ Can be used to enable/disable the ban system. `on` by default.